About RevealX Network Detection and Response
What is RevealX network detection and response (NDR)?
RevealX NDR leverages your networks as a source of truth to reveal anomalous and malicious activity that your perimeter, endpoint, and even other NDR tools don’t see. RevealX combines four powerful technologies into a single platform: NDR, network performance monitoring (NPM), intrusion detection (IDS), and network forensics. This unique combination enables you to see every step that active threat actors take as they move laterally across your hybrid or multi-cloud network, using encrypted business applications that hide their progress from other detection techniques. For a detailed look at RevealX NDR, visit the RevealX NDR overview page.
How does RevealX NDR differ from RevealX network performance monitoring (NPM)?
While both core modules are critical for risk reduction and the business resiliency of your network, RevealX NDR is focused on cybersecurity, and RevealX NPM is focused on performance. RevealX NDR proactively detects potential cyber threats across the attack surface, while RevealX NPM actively monitors potential network and application performance issues. For more information, visit the RevealX NPM overview page.
How does ExtraHop RevealX NDR detect threats?
RevealX NDR takes a full-spectrum detection approach that combines real-time detection of the latest CVEs and continuous behavioral machine learning to catch stealthy, post-compromise attacker tactics, techniques, and procedures. For a deeper dive into ExtraHop’s detections, read our Detections White Paper.
How does ExtraHop’s machine learning work?
ExtraHop creates structured records from raw network packets and then securely transports those records to ExtraHop Cloud Services, where we use them to train advanced machine learning (ML) models to deliver accurate detections and insights to RevealX NDR users. For more detailed information, read this blog.
In addition to NDR, what other security modules are available for the RevealX platform?
The RevealX platform enables users to integrate modules for Intrusion Detection System (IDS) and Packet Forensics with a scalable packet capture (PCAP) repository.
Can I purchase IDS and/or Packet Forensics modules as standalone products?
No. IDS and Packet Forensics modules are add-on modules to the RevealX platform’s core NDR module and cannot be purchased as standalone products.
Does ExtraHop offer RevealX NDR as a managed security service?
RevealX NDR is available as a managed security service via trusted partners such as Binary Defense. For more information, visit Managed Service Provider Partner Program.
RevealX NDR Details
How do I deploy ExtraHop RevealX NDR?
The RevealX platform consists of a set of components based on your environmental needs: sensors, recordstores, and a console for centralized management and unified data views. All components are available in physical, virtual, and cloud-based options that are sized based on your needs.
Where can I deploy ExtraHop RevealX NDR?
You can deploy RevealX NDR in on-premises, remote, and cloud environments. For more information, visit ExtraHop Deployment.
Does ExtraHop offer deployment assistance?
Yes, ExtraHop offers a range of implementation services to ensure RevealX NDR is set up, receiving and processing inbound data, and ready for operational and management handoff.
The ExtraHop team can also assist with onboarding. To learn more, read this brief.
Can RevealX NDR decrypt encrypted network traffic to identify threats?
Yes. RevealX NDR can decrypt SSL/TLS (including TLS 1.3), NTLM, Kerberos, and SMBv3 network traffic. This is a key difference between RevealX and other solutions. Most other solutions only look at the 3 way TLS handshake as well as metadata about the session. No other solution does TLS decryption as well as decryption of NTLM, Kerberos, and SMBv3 traffic in real-time, which are critical for detecting many kinds of Active Directory based attacks. It also decodes 90+ protocols, including common Microsoft protocols such as SMBv3, Kerberos, Active Directory, and MSRPC to provide full visibility into encrypted traffic across the attack surface.
What are “protocol decodes” in RevealX and why do they matter?
When you think of a typical client/server conversation over the network, you can think of the network protocol as the language they are speaking. Without speaking the language, all you really know is that one person called the other and said a certain number of words over time, but it’s very hard to tell if the nature of that conversation was “good” or “bad.” RevealX can serve as your translator for over 90 network protocols, making it easy for you to tell the difference between normal and malicious activity across your on-premise and multi-cloud networks.
How does RevealX NDR monitor network traffic?
RevealX NDR uses a port mirror or tap to passively ingest network traffic. ExtraHop conducts real-time stream processing of network traffic data and transforms the unstructured packets into structured wire data for deep analysis.
As an ExtraHop customer, would I have a dedicated customer support and/or success team?
The ExtraHop Customer Success team is a dedicated resource for all ExtraHop customers and can help with success planning, operational assessments, product aid, and more.
What professional services are available for ExtraHop RevealX customers?
ExtraHop offers a credit-based system for professional services, including implementation assistance, training, integrations, support, and more. To learn more, visit ExtraHop Professional Services.
Integrations
What cybersecurity integrations are available with ExtraHop RevealX NDR?
ExtraHop has several integrations with leading vendors, including CrowdStrike, Splunk, Netskope, AWS, Microsoft, Gigamon, and more. Every ExtraHop customer has access to CrowdStrike Falcon Intelligence. To learn more, visit ExtraHop Integrations and Automations.
Can I integrate RevealX NDR with other data stores, querying tools, and analytics platforms in my stack?
RevealX NDR offers robust query and investigation workflows within its user interface, but you can also integrate ExtraHop enriched network data with other back-ends like EDR and SIEM. The RevealX NDR Open Data Stream allows you to merge data from multiple sources into a single, rich set that can be queried and visualized using whatever tools your team prefers. RevealX NDR data can also be sent to data lakes.
Purchasing and Billing
Where can I purchase ExtraHop RevealX NDR?
You can purchase RevealX NDR directly from ExtraHop, through trusted channel partners and distributors, or via transactable listings on marketplaces such as the AWS Marketplace. For more information, Contact Us.
What is the pricing model for ExtraHop RevealX?
RevealX is sold as either a virtual or physical sensor under subscription-based pricing and has two deployment models: SaaS-based RevealX 360 and on-premises RevealX Enterprise. RevealX 360 pricing is based on the number of Discovered Devices, daily record ingest capacity, and record lookback period (30, 90, or 180 days). RevealX Enterprise pricing is based on the number of Discovered Devices and does not include record capacity. Customers can bundle modules for each deployment model to fit functional and capacity needs. For more information, Contact Us.
How does ExtraHop determine my number of Discovered Devices and record ingest?
Each device that is discovered by a single ExtraHop sensor and which has a unique identifier counts towards your licensed device capacity. If a device is discovered by multiple sensors, that device is counted towards the device capacity for each unique sensor, and counts towards your total device capacity.
About RevealX Network Performance Monitoring
What is RevealX network performance monitoring (NPM)?
RevealX NPM is a module of ExtraHop’s modern NDR platform. NPM transforms raw packets into real-time insights, allowing you to leverage your network as a central source of truth to understand, monitor, and analyze all traffic across your hybrid environment. NPM’s continuous observability and workflows uncover hidden issues and optimization opportunities by understanding how services and devices interact with each other and how transactions flow across the data link layer (L2) to the application layer (L7) in your network. The platform harnesses cloud-scale machine learning (ML) for real-time analytics, identifying potential network and application performance issues to expedite incident response time.
How does RevealX NPM differ from RevealX network detection and response (NDR)?
While both are essential models of a modern NDR platform, RevealX NPM focuses on monitoring network performance, whereas RevealX NDR focuses on monitoring network security. NPM actively identifies potential network and application performance issues, whereas NDR proactively identifies potential malicious activity.
What deployment options are available for RevealX NPM?
RevealX NPM is available as both a SaaS-based and on-premises solution. The SaaS-based RevealX 360 provides unified security across on-premises and cloud environments, 360-degree visibility and situational intelligence without friction, and immediate value with a low management burden. RevealX Enterprise is a self-managed solution that provides complete east-west visibility and real-time threat detection inside the perimeter.
What modules are available for RevealX NPM?
RevealX NPM integrates with the ExtraHop Packet Forensics module to provide full packet capture, storage, and retrieval. This scalable packet capture (PCAP) repository delivers cost-effective modular storage, precision packet search in a single workflow, and fast and easy-to-use queries to get answers quickly.
Can I purchase the Packet Forensics module as a standalone product?
No. Packet Forensics is an add-on module to the RevealX platform and cannot be purchased as a standalone product.
Network Performance Monitoring Details
How do I deploy RevealX NPM?
RevealX NPM consists of a set of components based on your environmental needs: sensors, packetstores, recordstores, and a console for centralized management and unified data views. You can deploy all components as physical, virtual, and cloud-based options based on your needs.
Does ExtraHop offer deployment assistance?
Yes, ExtraHop offers a range of implementation services to ensure RevealX NPM is set up, receiving and processing inbound data, and ready for operational and management handoff. The ExtraHop team can also assist with onboarding. To learn more, read this brief.
Does ExtraHop offer deployment assistance?
Yes, ExtraHop offers a range of implementation services to ensure RevealX NPM is set up, receiving and processing inbound data, and ready for operational and management handoff. The ExtraHop team can also assist with onboarding. To learn more, read this brief.
How does RevealX NPM monitor network traffic?
RevealX NPM passively observes unstructured packets through a port mirror or tap, and stores the data in a local datastore. The network traffic data undergoes real-time stream processing, which transforms the packets into structured wire data for analysis.
Which enterprise protocols does RevealX NPM support?
RevealX NPM supports over 90 enterprise protocols with real-time fluency at the application layer. Protocol modules offer varying levels of analysis, starting with L7 classification, and Application Inspection Triggers to create a custom metric.
Does RevealX NPM proactively detect performance issues?
Yes. RevealX NPM proactively detects potential network and application performance issues by leveraging cloud-scale machine learning (ML). The ML service tracks detections in eight categories across your environment. Within each of these categories, the ML evaluates several protocols and hundreds of metrics, all with custom logic, to find and correlate active problems.
Can RevealX NPM monitor encrypted network traffic?
Yes. RevealX can decrypt SSL/TLS (including TLS 1.3) network traffic, as well as common Microsoft protocols, such as SMBv3, Kerberos, Active Directory, and MSRPC, offering complete observability for troubleshooting.
How can I analyze real-time data at an enterprise scale?
RevealX NPM is designed to help enterprises derive meaningful insights from an immense wealth of information through automatically populated role-based dashboards. These dashboards function on a drag-and-drop model so you can customize them further with unique widgets. Along with traditional methods of data visualization like charts and graphs, RevealX NPM uses live activity maps to present a dynamic and intuitive view of your environment.
Integrations
Can RevealX NPM integrate with my existing IT service management (ITSM) and IT operations (IT Ops) tools?
Yes. RevealX NPM integrates with leading IT service management (ITSM) and IT operations (IT Ops) tools, including Splunk, Microsoft, AWS, and more. For organizations that rely on chat platforms to coordinate workflows, RevealX NPM can send information about detections to Slack or other collaboration platforms through a REST API. RevealX NPM also integrates with ticketing systems such as ServiceNow, automatically creating tickets for analyst triage queues and ingesting ticket information to display beside a detection.
Can I integrate RevealX NPM with other data stores, querying tools, and analytics platforms in my stack?
Yes. While rich query and investigation workflows are available within the RevealX NPM interface, it’s also easy to integrate network data metrics with the other data stores, querying tools, and analytics platforms in your stack. The RevealX NPM Open Data Stream allows you to merge data from multiple sources into a single, rich set that can be queried and visualized using whatever tools your team prefers, including AppDynamics, Elastic, MongoDB, and more.